Development teams are always on a mission to create better quality software, be more efficient, and please their users as much as possible.
The introduction of AI into the development pipeline makes this possible, from software intelligence to AI-assisted development tools. Both can work hand in hand to reach the same goal, but there’s a difference between software intelligence and intelligent software.
AI-assisted development tools are products that use AI to do things like suggest code, automate documentation, or generally increase productivity. Vincent Delaroche, founder and CEO of CAST, defines software intelligence as tools that analyze code to give you visibility into it so you can understand how the individual components work together, identify bugs or vulnerabilities, and gain visibility.
So while these intelligent software tools help you write better code, the software intelligence tools sift through that code and make sure it is as high quality as possible, and make recommendations on how to get to that point.
“Custom software is seen as a big complex black box that very few people understand clearly, including the subject matter experts of a given system,” said Delaroche. “When you have tens of millions of lines of code, which represent tens of thousands of individual components which all interact between each other, there is no one on the planet who can claim to be able to understand and be able to control everything in such a complex piece of technology.”
Similarly, even the smartest developer doesn’t know every possible option available to them when writing code. That’s where AI-assisted development comes in, because these tools can suggest the best possible piece of code for the application.
For example, a developer could provide a piece of code to ChatGPT and ask it for better ways of writing the code.
According to Diego Lo Giudice, principal analyst at Forrester, Amazon DevOps Guru serves a similar purpose on the configuration side. It uses AI to detect possible operational issues and can be used to configure your pipelines better.
Lo Giudice explained that quality issues aren’t always the result of bad code; sometimes the systems around the software are not configured correctly and that can result in issues too, and these tools can help identify those problem configurations.
George Apostolopoulos, head of analytics at Endor Labs, further explained the capabilities of software intelligence tools as being able to perform simple rules checks, provide counts and basic statistics like averages, and do more complex statistical analysis such as distributions, outliers and anomalies.
Software intelligence is crucial if you’re working with dependencies
Software intelligence plays a big role not only in quality, but in security as well, solving a number of challenges with open source software (OSS) dependency.
These tools can help by evaluating security practices of development, code of the dependency for vulnerable code, and code of the dependency for malicious code. They use global data to identify things like typosquatting and dependency confusion attacks.
According to Apostolopoulos, there are a number of things that can go amiss when adding in new dependencies, updating old ones, or just changing code around.
“In the last few years a number of attacks exposed the potential of the software supply chain for being a very effective attack vector with tremendous force multiplying effects,” said Apostolopoulos. “As a result, a new problem is to ensure that a dependency we want to introduce is not malicious, or a new version of an existing dependency does not become malicious (because its code or maintainer were compromised) or the developer does not fall victim to attacks targeting the development process like typosquatting or dependency confusion.”
When introducing new dependencies, there are a number of questions the developer needs to answer, such as which piece of code will actually solve their problem, as a start. Software intelligence tools come into play here by recommending candidates based on a number of criteria, such as popularity, activity, amount of support, and history of vulnerabilities.
Then, to actually introduce this code, more questions pop up. “The dependency tree of a modestly complex piece of software will be very large,” Apostolopoulos noted. “Developers need to answer questions like: do I depend on a particular dependency? What is the potentially long chain of transitive dependencies that brings it in? In how many places in my code do I need it?”
It is also possible in large codebases to be left with unused and out-of-date dependencies as code changes. “In a large codebase these are hard to find by reviewing the code, but after constructing an accurate and up to date dependency graph and call graph these can be automatically identified,” Apostolopoulos said. “Some developers may be comfortable with tools automatically generating pull requests that recommend changes to their code to fix issues and in this case, software intelligence can automatically create pull requests with the proposed actions.”
Having a tool that automatically provides you with this visibility can really reduce the mental effort required by developers to maintain their software.
The software landscape is a “huge mess”
Delaroche said that many CIOs and CTOs may not be willing to publicly admit this, but the portfolio of software assets that run the world, that exist in the largest corporations, are becoming a huge mess.
“It’s becoming less and less easy to control and to master and to manage and to evolve on,” said Delaroche. “Lots of CIOs and CTOs are overwhelmed by software complexity.”
In 2011, Marc Andressen famously claimed that “software is eating the world.” Delaroche said this is more true than ever as software is becoming more and more complex.
He brought up the recent example of Southwest Airlines. Over the holidays, the airline canceled over 2,500 flights, which was about 61% of its planned flights. The blame for this was placed on a number of issues: winter storms, staffing shortages, and outdated technology.
The airline’s chief operating officer Andrew Watterson said in a call with employees: “The process of matching up those crew members with the aircraft could not be handled by our technology … As a result, we had to ask our crew schedulers to do this manually, and it’s extraordinarily difficult … They would make great progress, and then some other disruption would happen, and it would unravel their work. So, we spent multiple days where we kind of got close to finishing the problem, and then it had to be reset.”
While something as disruptive as this may not happen every day, Delaroche said that every day companies are facing major crises. It’s just that the ones we know about are the ones that are big enough to make it into the press.
“Once in a while we see a big business depending on software that fails,” he said. “I think that in five to ten years, this will be the case on a weekly basis.”
Another area to apply shift-left to
Over the last years several elements of the software development process have shifted left. Galael Zino, founder and chief executive of NetFoundry, thinks that software analysis also needs to shift left.
This might sound counterintuitive. How can you analyze code that doesn’t exist yet? But Zino shared three changes that developers can make to make this shift.
First, they should adopt a secure-by-design mentality. He recommends minimizing reliance on third-party libraries because often they contain much more than the specific use case you need. For the ones you do need, it’s important to do a thorough review of that code and its dependencies.
Second, developers should add more instrumentation than they think they will need because it’s easier to add instrumentation for analysis at the start than when something is already in production.
Third, take steps to minimize the attack surface. The internet is the largest single surface area, so reduce risk by ensuring that your software only communicates with authorized users, devices, and servers.
“Those entities still leverage Internet access, but they can’t access your app without cryptographically validated identity, authentication and authorization,” he said.
What does the future hold for these tools?
Over the past six months Lo Giudice has seen a big acceleration in adoption of tools that use large language models.
However, he doesn’t expect everyone to be writing all their code using ChatGPT just yet. There are a lot of things that need to be in place before a company can really bring all this into their software development pipeline.
Companies will need to start scaling these things up, define best practices, and define the guardrails that need to be put in place. Lo Giudice believes we are still about three to five years away from that happening.
Another thing that the industry will have to grapple with as these tools come into more widespread use is the idea of proper attribution and copyright.
In November 2022, there was a class-action lawsuit brought against GitHub Copilot, led by programmer and lawyer Matthew Butterick.
The argument made in the suit is that GitHub violated open-source licenses by training Copilot on GitHub repositories. Eleven open-source licenses, including MIT, GPL, and Apache, require the creator’s name and copyright to be attributed.
In addition to violating copyright, Butterick wrote that GitHub violated its own terms of service, DMCA 1202, and the California Consumer Privacy Act.
“This is the first step in what will be a long journey,” Butterick wrote on the webpage for the lawsuit. “As far as we know, this is the first class-action case in the US challenging the training and output of AI systems. It will not be the last. AI systems are not exempt from the law. Those who create and operate these systems must remain accountable. If companies like Microsoft, GitHub, and OpenAI choose to disregard the law, they should not expect that we the public will sit still. AI needs to be fair & ethical for everyone. If it’s not, then it can never achieve its vaunted aims of elevating humanity. It will just become another way for the privileged few to profit from the work of the many.”